Masterclass: India Inc’s New Data Privacy Imperative

A new personal data protection bill was tabled in Parliament on December 11, 2019. The proposed legislation will have a deep impact in how businesses need to organise themselves. Many businesses chant the mantra: ‘Data is the new oil’. The proposed legislation will change how that ‘new oil’ is extracted, processed and used.

The Founding Fuel Masterclass, held on Zoom on December 19, 2019, addressed the questions that are on the minds of business leaders: Why do we need such a law? What should businesses know about what’s in the bill? And how should they prepare for what’s coming?

The panel included

Prof Rishikesha Krishnan, Member, Srikrishna Committee on Data Protection and Professor of Strategy, IIM-B

Anuradha Rao, former Chief Digital Officer and Deputy MD (Digital and Strategy), State Bank of India

Rahul Matthan, leading voice in technology law, author of Privacy 3.0, noted columnist and Partner, Trilegal     

Why did we need data protection legislation in the first place?

• Give customers assurance: Entire business models are drawn out of the use of data. However, when customers suddenly see their data is available on the dark web, there is a tremendous sense of insecurity. They want an assurance that their data is used properly for the purpose they are comfortable with.

• A framework of regulation will create confidence in both parties to go ahead and engage in that increasingly digital relationship. So business can move forward rather than temporary assurance when something goes wrong.

• Current systems can’t cope with the volume of data: Even in banking—where protecting customer data is a fundamental tenet—their systems may not stand the test in a completely digital environment where data is pouring in in large volumes.

• Inclusion: We want to unlock all the benefits of a data-driven digital economy. Inclusion went as far as opening bank accounts. But the data here is very thin. To pull that in a safe manner and to enable it to come together to create products and services for that layer of customer is what needs to come into place in order to transform the country.

• A driver to become a rich nation: Our opportunity to become as rich as Europe, to develop, is largely going to be driven by the way in which we use data. We need to set up a framework in which all those who want to use data for development can do it safely.

• For a long time businesses around the world were looking at India, saying when are you going to get a data protection law? India needs a modern law.

• This is not a data protection bill for protection sake. This is a bill which enables you to share in a protected manner.

• One important diver for such a law is the security and safety of the country.

What should businesses know about the law?

• Some principles that guided the Sri Krishna committee while drafting the report

1. Balance the interests of different stakeholders—the individual, the data fiduciary (a person or entity who determines the purpose and means of processing personal data), and the state—in such a way that India can unlock the potential of the digital and data economy.

2. A consent framework, where any individual has the right as well as a process to give consent for using any of their data. The consent has to be free and informed, specific, clear and capable of being withdrawn.

3. A quasi product liability framework. If the data fiduciary fails to take adequate safeguards to protect personal data, there were significant penalties.

• In the principles, a lot has been taken from GDPR: Consent, data minimization, purpose and use limitation.

• Though there are unique variations: Localization (though the current formulation of localization is neither here nor there); portability (a provision that exists everywhere) when coupled with the consent manager and the data architecture, is going to be different in the Indian context.

• The privacy by design policy is confusing. No one really knows what privacy by design is.

• In India, the "how" of what we do is going to be different rather than “what”. Because we will have to solve for big firm, small firm, and for the geographical complexity of this country. And because we cannot end up with this requirement adding phenomenal cost.

What is going to change for businesses? What is the immediate impact?

• Business processes are going to change.

• In a bank, as the data fiduciary, I have been able to use the data of customers whichever way I wanted so far. Today, even to use the customer’s data to create and offer a product for him, I need consent. I need to be able to record that concert.

• In order to share the information of one of my customers with any other entity that asks for this information, I need to go to the Consent Manager prescribed by the regulator of the sector.

• Once this additional consent layer is required to be recorded, it requires a change in business process. You’ll need to seek specific consent to be able to share the data with your vendors who actually deliver your product.

• You’ll need to restructure how data is stored. Traditionally, there is data all over the place, say in distant sales offices, and in different systems. You’ll need more sophisticated IT systems to be able to manage this.

• You’ll need to create a consent library. As a fiduciary, you will need to control the way data is consumed within the organization. Which means, you need a data governance layer on top of the database or data warehouse. This is the library of all the consents which all your customers have given you.

• Access rights will need to become more rigorous and designed to comply with the law. When anybody in the organization queries for a fresh piece of data, now, it will have to go through the library to check whether this data can be shared with that specific person.

• Compliance will definitely become one of the big issues. Data privacy will become part of an agenda item on the risk committee, and would need to be presented to the board. You’ll have a specific officer who is required to be signing off on this compliance. That is the additional layer of organizational and operational complexity that will be added.

• Once the law comes into force, anyone off the street can come to you and say, “Do you process my data?” If you say yes, you also have to tell them what data you have and what you are using it for. If they say you've made a mistake, you've got to have the ability to change that data. If they say please delete it, you have to delete the data, unless it's required for law enforcement purposes.

• And you’ll need to do all this in a very short time: Businesses in Europe and elsewhere have had close to three decades to get to where they are now. In India, we're going to have to do all of that, literally in one or two years.

Are businesses ready for all these big changes?

• We are not ready at all. And there's no way we can be at this stage. Certain things need to be in place first

• The law needs to be enacted. Then the Data Protection Authority (DPA) has to be established. The DPA will then start issuing guidance on various things. Until all of that happens, businesses can certainly not be ready.

• The bill provides a pretty broad framework, but a lot of the filling in the blanks has to be done by the DPA in collaboration with the sectoral regulators, and of course, taking inputs from industry associations and others.

• This bill requires a data fiduciary to be responsible, in an auditable way, for the way an innovator or service provider uses the shared data. And this piece, of having an audit system, is just not there.

• An entity like SBI has a thousand vendors. And they are also vendors to 20 different entities. They cannot be coping with 20 different entities coming and auditing them all the time.

• Each vendor has their own software platform, and will come up with their own governance model trying to satisfy both the regulator and principal users like SBI. Every time there's a change in law, everybody would have to go around making changes. And auditors would have to learn each of those things in order to effectively audit.

• Instead of all this, it would be much more sensible to have a governance layer as a commoditized platform. And the assurance is given because that's a regulated entity, and you're able to just plug in both as a fiduciary and a step-down fiduciary. The auditor just audits that one entity on behalf of all users.

• The large number of small businesses have no wherewithal to build such a system. It is not that they are unwilling, they are unable. We must be able to tell them that here is a Tally equivalent, to just plug it in, and you will be compliant.

• Another layer of complexity is that every single industry will need to have systems at that level of complexity. Some of the vendors that serve the banks could potentially also be serving the healthcare industry or the insurance industry, and the things that they need to do in those contexts will be different.

All businesses say they are customer-centric. But they struggle to put customer privacy ahead of business interests. How do you start to change that?

• Changing mindsets is very difficult. You need to start with changing behaviour.

• People act in accordance with their incentives. Align the KPIs to what you want, define them and measure them accordingly, and the organization will start behaving the way we need it to.

On balancing innovation and data privacy

• There is a provision for creation of sandboxes. Again, like many other things here, how exactly that is put into practice will depend on the DPA.

• No one is going to provide you a service if they don't know who you are. As services are becoming more and more data driven, they actually rely on the history of your data in order to provide you the bare minimum service.

More on Founding Fuel Masterclasses

Eating our own dog food: What the team is learning from our masterclasses—it’s work in progress

Being indistractable: Masterclass with Nir Eyal: Why do we get distracted and what can we do about it? A learning session on how to get your jobs done and lead a life that’s true to your values

How platforms really work: A week-long interactive immersion: November 25-29, 2019: A special week of learning on the Future of Platforms for the Founding Fuel community.

• [Read] Making sense of the New Capitalists | By Haresh Chawla: Your smartphone is the gateway for platform businesses to drive their hooks deep into your psyche and pockets, edge out traditional businesses, and reset markets. In doing so, they are becoming monopolies, the likes of which we’ve never seen before. What is fair play in this new world?
• [Read] The difficulty of cross-selling | By NS Ramnath: How far can businesses push the power of platforms to sell new types of products?
• [Read] How platforms really work: A reading list | By NS Ramnath: A curated list of articles, videos and a podcast, as part of our week of learning on the Future of Platforms
• [Watch the Founding Fuel Masterclass] Understanding platform power—disruption or destruction? Platforms, data, analytics are not going to go away. The good news for incumbents: they do have strengths they can play to. The bad news: They will need a different mindset and rethink customer experience.

Masterclass on Transforming Systems with Arun Maira: A special learning project with Arun Maira, one of India’s leading public intellectuals, based on his new book—and perhaps his most influential work—Transforming Systems: Why The World Needs a New Ethical Toolkit. The masterclass includes guest columns on three themes:

1. Building Purpose-Driven Networked Organisations: Why Their Time Has Come 
2. A New Model of Change: Why Complex Global Problems Need Local Systems Solutions
3. Creating Ethical Leaders of Tomorrow